News‎ > ‎

Continuous and Non-intrusive Reauthentication of Web Sessions based on Mouse Dynamics

posted May 29, 2014, 2:21 AM by Alberto Bartoli   [ updated May 29, 2014, 5:04 AM by Eric Medvet ]
Just accepted at the prestigious ARES Conference 2014.

The title says a lot of things: 
  • We propose a system for continuous reauthentication of web users based on the observed mouse dynamicsThe task of the system consists in continuously checking the actual mouse dynamics and generating an alert in case the observed data do not fit the mouse dynamics of the claimed user.
  • We do not advocate usage of mouse dynamics as the only tool for authenticating users and suggest instead its use as a layer for a defense-in-depth strategy, i.e., as a complement to other forms of authentication, intrusion detection, and so on. Indeed, authentication credentials are increasingly considered just one of the multiple signals to be used for authenticating humans.
  • The threat model assumes an attacker who impersonates a legitimate user in web browsing sessions which last for several minutes on a mouse-equipped platform. This model fits, in particular, credential stealing scenarios where an attacker occasionally or routinely accesses an account fraudulently. The model does not address attackers who perform a session lasting just a few seconds.
  • Key feature of our proposal is that no specific software needs to be installed on client machines...this allows integrating continuous reauthentication capabilities into the existing infrastructure of large organizations easily.
  • Key scenarios:
    • web applications hosted in the cloud, where users authenticate with standard mechanisms;
    • organizations which allow locally authenticated users to access external web applications;
    • enterprise applications hosted in local servers or private cloud facilities.
  • We assess our proposal with real data from 24 users, collected during normal working activity for several working days.  We obtain accuracy in the order of 97%, which is aligned with earlier proposals requiring instrumentation of client workstations for intercepting all mouse activity---quite a strong requirement for large organizations.
We hope this work will have rather interesting developments in the next months...